Powershell Security Model: Script Security Officer, Part 1

One interesting element of PowerShell’s security model is its reliance upon digital signatures.  You can make decisions on which scripts to trust based on whether the author has digitally “signed” it.  But how does that really work?  How can I really know if this script really was written by… whomever?

Let me answer that this way — have you ever been pulled over?

The conversation starts out so pleasantly. “License and registration, please.”  How polite!  But then the awful truth hits you.  You left your driver’s license on the kitchen counter at home!  What do you do?  Fortunately, a simple solution presents itself.  All you need to do is grab the stack of Post-it™ notes from your briefcase and the ballpoint pen in the glove compartment, apply your 3rd grade art skills, and… voila!

“Uh — I can’t accept this”, says the officer. The problem is a classic question of authentication.  Authentication is the process of determining if someone is authentic –is that person who he or she claims to be.  The officer’s first job is to determine who, exactly, you are.  The Post-it note solution fails precisely because it comes from you.  If your identity is the question to be resolved, anything you create is also subject to the same question.

“Who drew this?”

“Um — I did, officer.”

“And who are you?”

“It — ah — says on the license?

“No, this doesn’t tell me who  you are. It just says who you want me to think you are.  Look here:

We’re going in circles, you see.  You’re giving me information that you believe to be accurate. But the one thing I need to know first is just who you are.”

In other words, the officer wants that information confirmed by someone whose identity is already known.  What the officer needs is the Department of Motor Vehicles.

Borrowing the Post-it notes and your pen again, the officer jots another diagram.  “Here, take a look at this.”

“See, here’s how this is supposed to work.  I ask you for a license, and you give me the one you got at the Department of Motor Vehicles.  I already trust them, see, so if they were willing to give you a license, I’m willing to believe the information they put on the card is right.”

Let’s leave this happy conversation and return to PowerShell.  You’re a system administrator in your IT department, and you have lots to do.  Getting ready to start a big server migration project, a colleague says, “You know, there’s a PowerShell script that will do all that for you.”

“Is that so?” you think to yourself.  Downloading the script from the Web, you prepare to execute it in your environment, when a thought hits you.  You don’t know the author of this script.  You don’t know if the author has a track record of writing useful, correct scripts.  You really don’t know if the author’s code is going to help your system or break it.

Maybe the author of the script put some comments in the beginning of the script file to identify themselves.

# ReallyUsefulScript.PS1
# Author: Mike Hammond, Senior Developer, Safescripter Systems, Inc.
#
#

Ah, there we are — now we know the author.  He works for some company called Safescripter. Look at that, it says so right at the top of his script.  It must be fine, then!  Right?

Wait — that’s true unless someone modified the file to make it look like Mike Hammond wrote the script.  How do I really know that the information on the top of the script is accurate?  The comments were written by… well, by the writer of the script — someone whose identity has not yet been determined.  Does this sound familiar?

This time, it’s you in the shoes of the officer, pulling somebody over for unauthenticated scripting in a posted Safe Scripting Only zone.  How are you going to prove to your satisfaction that this scripter is trustworthy?  So far, this author has only demonstrated who he believes himself to be.  Is that enough to bet the stability of a server upon?  Probably not.

So what do we do to validate this user’s bona fides?  We need the digital equivalent of the Department of Motor Vehicles — some trusted third party who can be relied upon to validate the identity of the scripter beforehand.  And as long as we can trust the credentialing procedures of that central authority, we can believe that identities determined through those processes are valid.  So, is there a Department of Safe Programming down at City Hall?  Well, no.  But we have the next best thing: a Certificate Authority.

A Certificate Authority, or CA, is a service managed by a company or organization that receives requests for a provable form of digital identity.  That organization performs some sort of due diligence in determining if the claimed identity is real, and then issues proof of identity to the requester if it seems that the requester is legit (or refuses if not).  Like this:

This is a very positive development — I could choose to have a policy of not running any scripts that aren’t produced by someone with a digital certificate that proves their identity.  But I have a deeper problem.  How do I know that someone has a digital certificate?  Should I just look in the comments of the script?

# ReallyUsefulScript.PS1
# Author: Mike Hammond, Senior Developer, Safescripter Systems, Inc.
# Digital Certificate:  Yes, I have one.  Trust me.
#

Well, we’re back in the same spot — the scripter says he has a certificate, but how do I know for sure?  In the next post, we’ll explore the technical aspects of validating digital certificates in PowerShell.

Related Posts
Powershell 2.0 Protects You From Viruses
Scripting Games
Renaissance Sculpture the Powershell Way

Related Course
Automating Administration with Windows PowerShell 2.0 (M10325)

In this article

Join the Conversation